On 11/18/2010 05:04 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Fri, 05 Nov 2010 15:20:27 -0400
Rob Crittenden<rcrit...@redhat.com>  wrote:

When a host is deleted we revoke its certificate, if any.

When a host keytab is disabled we disable all the keytabs and revoke
the certificates of its services.

I've also tried to make it more universal to display certificate
details when viewing a record with a certificate in it.

rob

a. needs rebase (I did a rebase on my own, hopefully the next point was
not because of that)

b. after some fiddling and testing ipa host-disable seem to return a
bogus error of: ipa: ERROR: no modifications to be performed
and if tried again: ipa: ERROR: This entry is already disabled

Possibly the first error was returned because the service I took a cert
for (to test the cert was removed on disabling, which it was) didn;t
have a keytab associated.

So NACK on this error, but the general approach looks good.

Simo.


Updated patch attached. Here is how to test it.

My IPA server is on host slinky.example.com. I'm doing these commands from there.

# mkdir /etc/nsstmp
# certutil -N -d /etc/nsstmp (for simplicity do not set a password)
# ipa host-add puma.example.com
# ipa-getkeytab -s slinky -k /tmp/test.kt host/puma.example.com
# ipa-getcert request -d /etc/nss -n Server-Cert -N "cn=puma.example.com,O=EXAMPLE.COM" -K host/puma.example....@example.com

Now run this until the cert is in the state MONITORING
# ipa-getcert list

Just to double check, look at the host, it should have a keytab and a cert:

# ipa host-show puma
  Host name: puma.example.com
Certificate: MIICkjCCAfugAwIBAgICBAUwDQYJKoZIhvcNAQEFBQAwLDEqMCgGA1UEAxMhR1JFWU9BSy5DT00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTExODIwNDExNloXDTE1MTExODIwNDExNlowMTEUMBIGA1UEChMLR1JFWU9BSy5DT00xGTAXBgNVBAMTEHB1bWEuZ3JleW9hay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjYEiiPC1AGFX4qbSFpHNkUyoZK60hXblw6OrAc5IGOZGgGGb/pOEMhWSZt45TzbZLExB9V73BON9wYvokkkwxVydPxx6ardEWdoAmz6gHYPK2B2GgUfKAbyu2vNJKuQ0RdVFwfKgPv7PbF9LJ2Glfb3dg7f90vCA67hP/wb5rGBkvkfk/Rw4O2lmFlxGxLkvHhVQn+LIdsqpO2bn47GYPSJqsj3bRzbK3WOKulyW99eD+QLP215SKvlh2oXh+I2qu2HgmbvuRdQcYqTU9dYltOmxybvuDllYRnhV2FWQ4U7NtPdKEOjazZJ/dOue/Ei2sAwpMyKkKH9HXUkTUhqi1AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAQdXfmoHJ33h8JfY4t/vYgT8p99bSwLrOuwsSzy1tw5p/cZ3VXDkrLPDzHSnZTycTRRqrtsqMQt3v+NQdV/OjC2ALAfZnVM/JymWMwk9ub90N4O2x8nY18eCNxSmSaPbfhelsx2JeHg8jLXeiBN722rr2iWgcQ87sBejLYJhO/Bc=
  Principal name: host/puma.example....@example.com
  Keytab: True
  Managed by: puma.example.com
  Subject: CN=puma.example.com,O=EXAMPLE.COM
  Serial Number: 1029
  Issuer: CN=EXAMPLE.COM Certificate Authority
  Not Before: Thu Nov 18 20:41:16 2010 UTC
  Not After: Wed Nov 18 20:41:16 2015 UTC
  Fingerprint (MD5): 2a:f5:47:88:62:93:7f:87:2e:c5:d6:9a:11:df:b3:9d
Fingerprint (SHA1): a0:4a:b2:2a:fc:f9:0f:cc:e7:18:30:29:7e:f6:63:75:8a:8d:45:12

Finally we're ready to test if disabling the host revokes/removes the cert too:

# ipa host-disable puma
---------------------------------------------------------
Removed kerberos key and disabled all services for "puma"
---------------------------------------------------------

Verify that the host is disabled and its cert is gone:

# ipa host-show puma
  Host name: puma.example.com
  Principal name: host/puma.example....@example.com
  Keytab: False
  Managed by: puma.example.com

Note that I'm allowing admin to write enrolledBy again. I need to find a better way to handle the attribute but lets clear it without errors for now.

rob


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK and pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to